5,436 research outputs found
Distillation for run-time malware process detection and automated process killing
Adversaries are increasingly motivated to spend energy trying to evade
automatic malware detection tools. Dynamic analysis examines the behavioural
trace of malware, which is difficult to obfuscate, but the time required for
dynamic analysis means it is not typically used in practice for endpoint
protection but rather as an analysis tool. This paper presents a run-time model
to detect malicious processes and automatically kill them as they run on a real
endpoint in use. This approach enables dynamic analysis to be used to prevent
harm to the endpoint, rather than to analyse the cause of damage after the
event. Run-time detection introduces the risk of malicious damage to the
endpoint and necessitates that malicious processes are detected and killed as
early as possible to minimise the opportunities for damage to take place. A
distilled machine learning model is used to improve inference speed whilst
benefiting from the parameters learned by larger, more computationally
intensive model. This paper is the first to focus on tangible benefits of
process killing to the user, showing that the distilled model is able to
prevent 86.34% of files being corrupted by ransomware whilst maintaining a low
false positive rate for unseen benignware of 4.72%
Towards a Better Indicator for Cache Timing Channels
Recent studies highlighting the vulnerability of computer architecture to
information leakage attacks have been a cause of significant concern. Among the
various classes of microarchitectural attacks, cache timing channels are
especially worrisome since they have the potential to compromise users' private
data at high bit rates. Prior works have demonstrated the use of cache miss
patterns to detect these attacks. We find that cache miss traces can be easily
spoofed and thus they may not be able to identify smarter adversaries. In this
work, we show that \emph{cache occupancy}, which records the number of cache
blocks owned by a specific process, can be leveraged as a stronger indicator
for the presence of cache timing channels. We observe that the modulation of
cache access latency in timing channels can be recognized through analyzing
pairwise cache occupancy patterns. Our experimental results show that cache
occupancy patterns cannot be easily obfuscated even by advanced adversaries
that successfully evade cache miss-based detection
ct-fuzz: Fuzzing for Timing Leaks
Testing-based methodologies like fuzzing are able to analyze complex software
which is not amenable to traditional formal approaches like verification, model
checking, and abstract interpretation. Despite enormous success at exposing
countless security vulnerabilities in many popular software projects,
applications of testing-based approaches have mainly targeted checking
traditional safety properties like memory safety. While unquestionably
important, this class of properties does not precisely characterize other
important security aspects such as information leakage, e.g., through side
channels. In this work we extend testing-based software analysis methodologies
to two-safety properties, which enables the precise discovery of information
leaks in complex software. In particular, we present the ct-fuzz tool, which
lends coverage-guided greybox fuzzers the ability to detect two-safety property
violations. Our approach is capable of exposing violations to any two-safety
property expressed as equality between two program traces. Empirically, we
demonstrate that ct-fuzz swiftly reveals timing leaks in popular cryptographic
implementations
Control Behavior Integrity for Distributed Cyber-Physical Systems
Cyber-physical control systems, such as industrial control systems (ICS), are
increasingly targeted by cyberattacks. Such attacks can potentially cause
tremendous damage, affect critical infrastructure or even jeopardize human life
when the system does not behave as intended. Cyberattacks, however, are not new
and decades of security research have developed plenty of solutions to thwart
them. Unfortunately, many of these solutions cannot be easily applied to
safety-critical cyber-physical systems. Further, the attack surface of ICS is
quite different from what can be commonly assumed in classical IT systems.
We present Scadman, a system with the goal to preserve the Control Behavior
Integrity (CBI) of distributed cyber-physical systems. By observing the
system-wide behavior, the correctness of individual controllers in the system
can be verified. This allows Scadman to detect a wide range of attacks against
controllers, like programmable logic controller (PLCs), including malware
attacks, code-reuse and data-only attacks. We implemented and evaluated Scadman
based on a real-world water treatment testbed for research and training on ICS
security. Our results show that we can detect a wide range of
attacks--including attacks that have previously been undetectable by typical
state estimation techniques--while causing no false-positive warning for
nominal threshold values.Comment: 15 pages, 8 figure
Putting Together the Pieces: A Concept for Holistic Industrial Intrusion Detection
Besides the advantages derived from the ever present communication
properties, it increases the attack surface of a network as well. As industrial
protocols and systems were not designed with security in mind, spectacular
attacks on industrial systems occurred over the last years. Most industrial
communication protocols do not provide means to ensure authentication or
encryption. This means attackers with access to a network can read and write
information. Originally not meant to be connected to public networks, the use
cases of Industry 4.0 require interconnectivity, often through insecure public
networks. This lead to an increasing interest in information security products
for industrial applications. In this work, the concept for holistic intrusion
detection methods in an industrial context is presented. It is based on
different works considering several aspects of industrial environments and
their capabilities to identify intrusions as an anomaly in network or process
data. These capabilities are based on preceding experiments on real and
synthetic data. In order to justify the concept, an overview of potential and
actual attack vectors and attacks on industrial systems is provided. It is
shown that different aspects of industrial facilities, e.g. office IT, shop
floor OT, firewalled connections to customers and partners are analysed as well
as the different layers of the automation pyramid require different methods to
detect attacks. Additionally, the singular steps of an attack on industrial
applications are characterised. Finally, a resulting concept for integration of
these methods is proposed, providing the means to detect the different stages
of an attack by different means.Comment: This is the preprint of a work submitted to and accepted at the
proceedings 2019 European Conference on Cyber Warfare and Security (ECCWS
Technical Report: A Toolkit for Runtime Detection of Userspace Implants
This paper presents the Userspace Integrity Measurement Toolkit (USIM
Toolkit), a set of integrity measurement collection tools capable of detecting
advanced malware threats, such as memory-only implants, that evade many
traditional detection tools. Userspace integrity measurement validates that a
platform is free from subversion by validating that the current state of the
platform is consistent with a set of invariants. The invariants enforced by the
USIM Toolkit are carefully chosen based on the expected behavior of userspace,
and key behaviors of advanced malware. Userspace integrity measurement may be
combined with existing filesystem and kernel integrity measurement approaches
to provide stronger guarantees that a platform is executing the expected
software and that the software is in an expected state
Learning Execution Contexts from System Call Distributions for Intrusion Detection in Embedded Systems
Existing techniques used for intrusion detection do not fully utilize the
intrinsic properties of embedded systems. In this paper, we propose a
lightweight method for detecting anomalous executions using a distribution of
system call frequencies. We use a cluster analysis to learn the legitimate
execution contexts of embedded applications and then monitor them at run-time
to capture abnormal executions. We also present an architectural framework with
minor processor modifications to aid in this process. Our prototype shows that
the proposed method can effectively detect anomalous executions without relying
on sophisticated analyses or affecting the critical execution paths
Identifying Extension-based Ad Injection via Fine-grained Web Content Provenance
Extensions provide useful additional functionality for web browsers, but are
also an increasingly popular vector for attacks. Due to the high degree of
privilege extensions can hold, extensions have been abused to inject
advertisements into web pages that divert revenue from content publishers and
potentially expose users to malware. Users are often unaware of such practices,
believing the modifications to the page originate from publishers.
Additionally, automated identification of unwanted third-party modifications is
fundamentally difficult, as users are the ultimate arbiters of whether content
is undesired in the absence of outright malice.
To resolve this dilemma, we present a fine-grained approach to tracking the
provenance of web content at the level of individual DOM elements. In
conjunction with visual indicators, provenance information can be used to
reliably determine the source of content modifications, distinguishing
publisher content from content that originates from third parties such as
extensions. We describe a prototype implementation of the approach called
OriginTracer for Chromium, and evaluate its effectiveness, usability, and
performance overhead through a user study and automated experiments. The
results demonstrate a statistically significant improvement in the ability of
users to identify unwanted third-party content such as injected ads with modest
performance overhead.Comment: International Symposium on Research in Attacks, Intrusions and
Defenses (RAID), Paris, France, September 201
Detecting Standard Violation Errors in Smart Contracts
We present SOLAR, a new analysis tool for automatically detecting standard
violation errors in Ethereum smart contracts.Given the Ethereum Virtual Machine
(EVM) bytecode of a smart contract and a user specified constraint or invariant
derived from a technical standard such as ERC-20,SOLAR symbolically executes
the contract, explores all possible execution paths, and checks whether it is
possible to initiate a sequence of malicious transactions to violate the
specified constraint or invariant. Our experimental results highlight the
effectiveness of SOLAR in finding new errors in smart con-tracts. Out of the
evaluated 779 ERC-20 and 310 ERC-721smart contracts, SOLAR found 255 standard
violation errors in 197 vulnerable contracts with only three false
positives.237 out of the 255 errors are zero-day errors that are not re-ported
before. Our results sound the alarm on the prevalence of standard violation
errors in critical smart contracts that manipulate publicly traded digital
asset
Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core
Covert channels enable information leakage across security boundaries of the
operating system. Microarchitectural covert channels exploit changes in
execution timing resulting from competing access to limited hardware resources.
We use the recent experimental support for time protection, aimed at preventing
covert channels, in the seL4 microkernel and evaluate the efficacy of the
mechanisms against five known channels on Ariane, an open-source 64-bit
application-class RISC-V core. We confirm that without hardware support, these
defences are expensive and incomplete. We show that the addition of a
single-instruction extension to the RISC-V ISA, that flushes microarchitectural
state, can enable the OS to close all five evaluated covert channels with low
increase in context switch costs and negligible hardware overhead. We conclude
that such a mechanism is essential for security.Comment: 6 pages, 7 figures, submitted to CARRV '20, additional appendi
- …